Over the last decade, malicious software (malware) has become a pervasive problem for Internet users. In some situations, malware is an exploit, in the form of an executable program for example, which is embedded within downloadable content and designed to adversely influence or attack normal operations of a computer. Examples of different types of exploits may include bots, computer viruses, worms, Trojan horses, spyware, adware, or any other programming that operates within an electronic device (e.g. computer, tablet, smartphone, server, router, wearable technology, or other types of electronics with data processing capability) without permission by the user or an administrator.
For instance, exploits may be present in one or more files infected through any of a variety of attack vectors, where the files are part of network traffic. For instance, as an illustrative example, the file may have a Portable Executable (PE) file format where the exploit is activated upon execution (opening) of the file.
Currently, malware detection systems are deployed to extract content from plaintext files within network traffic and analyze such content for malware. However, given that there has been a significant increase in malware propagation through the use of encrypted files, especially files encrypted through use of an Exclusive OR (XOR) function, additional functionality is needed to conduct real-time malware analysis of these types of encrypted files.
It is noted that the conventional method for analyzing encrypted files for malware involves a computationally intensive, brute-force technique. More specifically, this “brute-force” technique is a rudimentary key detection scheme in which iterative decryption operations are conducted on an encrypted file using different key combinations in the hopes of recovering the plaintext version of the file. For instance, in order to recover plaintext from a file encrypted with a one-byte XOR key, this brute-force technique would undergo up to 256 (28) iterative decryption operations. However, in order to recover the plaintext from a file encrypted with a two-byte XOR key or a three-byte XOR key, this brute-force technique would need to undergo up to 65,536 (216) iterative decryption operations or over 16 million (224) iterative decryption operations, respectively.
Clearly, the current brute-force technique is unsuitable for real-time (on-the-fly) malware analysis.